Regarding Site-to-site VPN

Solved
KSM
Here to help

Regarding Site-to-site VPN

Hi Meraki

 

Non-meraki site to stie VPN Troubleshooting Contact Us

 

I currently have a tunnel between a Mearki MX and a Juniper SRX and AWS.

The SRX is acting as the hub, and both the MX and AWS are connected.

The MX is only connected to the SRX.

 

The tunneling is all good.

 

However, no packets are going out.

1. what is the tunnel source ip in MM?
2. When I capture SITE-TO-SITE VPN packets, I don't see any packets, is this correct?
3. Do I need to route them separately? Isn't it just a matter of declaring it on a private subnet?

 

1 Accepted Solution
GIdenJoe
Kind of a big deal
Kind of a big deal

If you capture on the LAN side of the MX you should see the packets coming from a client in your MX network towards your MX (source MAC address client, dest MAC address Meraki MX).  However on the WAN side you could only see ESP packets leaving your WAN IP towards the WAN IP of the SRX.  Looking inside the site 2 site VPN is definitely possible with AutoVPN but I'm not exactly sure with IPsec VPN if this works.  Should test it out 😉

 

In the logging you should make sure you have a CHILD_SA with all the necessary traffic selectors active before you can see traffic actually passing.  The little green dot in the VPN status page is NOT enough.

 

The last thing that could be wrong is if you have any IPsec VPN firewall rules on the VPN page.

View solution in original post

6 Replies 6
Badr-eddine
Getting noticed

Could you please provide additional information regarding the deployed topology? How the AWS and the SRX are connected ?

Yes. Similarly, AWS and SRX are connected by IPSEC.

alemabrahao
Kind of a big deal
Kind of a big deal

Can you share a topology and configuration with us?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I'm so sorry
I have uploaded the topology to the link below.
https://community.meraki.com/t5/Security-SD-WAN/Meraki-mx-PAT-question/m-p/215975

GIdenJoe
Kind of a big deal
Kind of a big deal

If you capture on the LAN side of the MX you should see the packets coming from a client in your MX network towards your MX (source MAC address client, dest MAC address Meraki MX).  However on the WAN side you could only see ESP packets leaving your WAN IP towards the WAN IP of the SRX.  Looking inside the site 2 site VPN is definitely possible with AutoVPN but I'm not exactly sure with IPsec VPN if this works.  Should test it out 😉

 

In the logging you should make sure you have a CHILD_SA with all the necessary traffic selectors active before you can see traffic actually passing.  The little green dot in the VPN status page is NOT enough.

 

The last thing that could be wrong is if you have any IPsec VPN firewall rules on the VPN page.

It's a shame that outgoing packets from the LAN are captured, but SITE-TO-SITE VPN packets are not.

Get notified when there are additional replies to this discussion.